Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] stompy the session stomper - tool availability

from [Michal Zalewski] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] stompy the session stomper - tool availability
Date: Thu, 1 Feb 2007 00:18:35 +0100 (CET) 
On Sat, 27 Jan 2007, Michal Zalewski wrote:


I'd like to announce the availability of 'stompy', a free tool to perform
a fairly detailed black-box assessment of WWW session identifier
generation algorithms.


I'm genuinely surprised by the amount of (mostly positive ;-) feedback I
got! Just an one-time, quick heads up: in response to numerous
suggestions, I added a couple of fairly significant features to the tool
that should make it capable of discovering far more - so if you downloaded
it several days ago, you might want to update your copy:

  - It now supports SSL connections, custom-crafted requests including
    POSTs, and input from external sources (for evaluation of non-WWW
    tokens of any type),

  - It now uses GNU MP library to losslessly handle alphabets that do not
    directly map to binary (this is big),

  - Can run spatial correlation checks as well as temporal analysis of
    bitstreams in acquired samples,

  - The output is much more readable, some minor bugs were fixed.

A much better documentation is available, as well. The tarball for version
0.04 is available here: http://lcamtuf.coredump.cx/stompy.tgz

Regards (and shutting up!),
/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Targeted password cracking by exploiting the registration functionality of a web application., Anurag Agarwal
Next by Date:  Technika - Attack Scripting Environment, pdp (architect)
Previous by Thread:  Re: [Full-disclosure] stompy the session stomper - tool availability, Michal Zalewski
Next by Thread:  [Full-disclosure] 2007 Security OPUS CFP: Closed (Agenda included), Sharkey
Indexes:  [Date] [Thread] [Top] [All Lists]